This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

capture traffic after F5 (bigip)

AnasBdeir
Beginner
Beginner

‎2017-01-12 02:38 AM

Hi, 

 

i want capture traffic after F5 (bigip) to see unencrypted traffic, but if i do it i will see the source IP is F5 IP address.

how this issue will be solved to see the original source IP?

 

appreciate your support.

0 Likes
4 REPLIES 4

Anonymous
Not applicable

‎2017-01-12 09:30 AM

You may want to TAP and capture that traffic first to see what data is available.  There may be an x-forwarded-for or similar header that would contain that originating IP address.  However, that would be in a different meta key than ip.src or ip.dst.

 

You may also want to consult F5 for various configuration options that are available to get you the data you need.

 

Packet decoders simply parse out the traffic as it's presented to it.  If the data is there, the decoders can typically extract it as meta either natively or with some custom parsing.  Obviously, it would need the data to be there first.

 

Chris

0 Likes

MichaelPochan
Beginner
Beginner

‎2017-01-15 06:02 PM

We ran into a similar issue but have solved it. The http lua parser has an options file that permits you to store the original IP from X-forwarded-for headers in either the orig_ip meta field (as text) or the alias.ip field (as IPv4). The problem with the alias.ip field is that any IPs resolved from alias.host values in the same session will be stored in alias.ip, so it's difficult to specify which alias.ip value has what role. 

 

We wrote custom lua parsers to extract x-forwarded-for, client_ip, and cnp-true-clientip values and store them in a custom meta key (IPv4 format) called client.ip. We wrote a similar parser to extract the x-originating-ip from smtp traffic since that value was also getting added to the much crowded alias.ip field.

 

Let me know if you'd like me to share any of our parsers.  

0 Likes

AnasBdeir
Beginner
Beginner
In response to MichaelPochan

‎2017-01-17 06:33 AM

Hi Michael, 

thanks for your reply, as i understood from you. we can configure big IP to add x-forward the original IP. if this is the situation i appreciate your offer for sharing custom parser to make a test on my network. 

0 Likes

AnasBdeir
Beginner
Beginner
In response to Anonymous

‎2017-01-17 06:34 AM

thank you christopher, i will do some tests by capturing data after F5 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.